While debugging bug 8561 I came across the fact that the value of the sambaPwdCanChange attribute is not honoured.
The function pdb_get_pass_can_change_time() in pdb_get_set.c returns the
time after which the password can be changed. It has the following logic:
a) If sambaPwdLastSet is 0, then the password cannot not be changed, so
return 0.
b) If sambaPwdCanChange is 2147483647 and we have a sambaPwdLastSet
value, return sambaPwdLastSet.
c) Return the time the password was last changed plus the minimum password
age.
For the sambaPwdCanChange attribute that means that if the value is
2147483647, the password may be changed *after* the time the password was
last changed, but other values are ignored.
The attached patch extends the logic with the following:
If a user has a specific sambaPwdCanChange value, and this is later than the value as calculated by the policy, use it.
This allows us to prevent a user from setting his password until a certain time in the future, regardless of the minimum password age.